Let the Buyer Beware' Is a Good Adage to Embrace as It Pertains to Cybersecurity

Virtually everyone these days purchases goods and services via the internet because it is so easy and convenient, and often less costly. This is especially true during the holiday gift-giving season. The National Retail Federation (NRF) estimates that in the United States, ecommerce in November and December alone will range between $957.3 billion and $966.6 billion. While this is a tremendous boon for online merchants and service providers, it is equally advantageous for cyberattackers.

This is a cautionary tale not only for consumers but also for businesses and other organizations, such as public-safety agencies and court systems. The reality is that personnel often use their work computers to make online purchases even when their employer has forbidden the practice. In many cases, the employee’s work computer doubles as their personal computer. This scenario makes cybersecurity much more challenging.

We’re here to help. Even though the holiday shopping season is winding down, ecommerce will march on. (The NRF estimates it will end up at about $1.4 trillion this year.) So, the rest of this blog offers best practices that anyone engaging in ecommerce can use year round to avoid a cybersecurity disaster.

Don’t trust but verify — Cyberattackers are smart and clever. They often spoof legitimate websites in the hope of luring unsuspecting victims into a trap. Before clicking on any website link, first confirm the legitimacy of the website by taking a good look at the uniform resource locator (URL) found in the address window. Check for misspellings or other errors, which are dead giveaways that something is amiss. Check for the padlock icon or whether the URL begins with “HTTPS://.” The initialization stands for “Hypertext Transfer Protocol Secure,” which encrypts data transmitted between a web browser and a website to ensure cybersecurity. If neither of these elements are visible, then you shouldn’t engage in ecommerce with that website.

Further, search the website for the company’s privacy policy — if it can’t be found on the website, that’s a red flag. If it does exist, read it. The document will contain a lot of legalese that might be difficult to grasp — but don’t let that dissuade you. Look for the section that explains how the company uses and protects your data. Also pay attention to the data the company collects that’s private. Cyberattackers try to access such data as a first step toward getting to where they really want to go. For example, an employee might be using the same password for an ecommerce site that they’re using to access their organization’s networks and systems. If the password isn’t complex enough, it will be easy for a cyberattacker using brute-force tactics to crack it — and if multifactor authentication isn’t in place, they’re in.

Also look for contact information and then determine how difficult the company makes it to contact them. If it’s the equivalent of a root canal, then the company might not be trustworthy.

Check for whether any suspicious behaviors have been associated with the website if it’s one that is new to you. Several websites exist for this purpose:

• Is It Hacked?
• VirusTotal
• PhishTank
• FTC Scam Alerts

It’s also a great idea to check the website’s age. If it’s only been active for a few days or even weeks, you probably shouldn’t trust it. Here’s a tool that will enable you to check it out: https://whois.domaintools.com/.

Strictly limit where you get apps — Ecommerce applications can be downloaded from just about everywhere — and that’s a big problem. Here’s an example. Let’s say that you’re on a favorite website and you see an advertisement that looks interesting. You then click on the ad, which is harmless enough. But then you are transported to the advertiser’s website — and that’s where the trouble begins. Once there, you are invited to download an application — which might contain malware. This is less likely when you’re interacting with a known entity, e.g., Best Buy or Amazon. But if the entity is less known — or worse, unknown — downloading an app directly from their site is a very bad idea. It’s imperative then that applications are downloaded only from authenticated sources, which means Google Play and the Apple Store. Getting them from anywhere else places you at risk of a cyberattack.

There’s no foolproof way to ensure total safety when engaging in ecommerce, but clear indicators exist that warn of potential danger. In a way, this is a little like unraveling a mystery — you constantly must be on the lookout for telltale clues. Following these best practices will help you do that and put you in a much better position to avoid a debilitating cyberattack.

Jason Franks is an MCP cybersecurity specialist. Email him at JasonFranks@MissionCriticalPartners.com.